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- Client side explotation 

- Update process 

- Poor implementation of update processes 

- Attack vectors 

- evilgrade framework presentation 
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I introduction 


Client side explotation 

Searching the Weakest Link 

Bypassing the fortress walls 

This technique allows for example transform a user 
terminal in a “proxy” to access the internal network 
of a company 
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General application's update process 


How does it works? 

• Update process are either manual or automatic. 

• The process requests a special file in the master 
server for example update.application.com/info.xml 

• The file has the internal information of the 
available updates. 

•It's installed automatic or ask if you like to install 
the new update. 
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What's the problem? 
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I s there any problem? 


Trust 

• A lot of application don’t verify the updates 
contents. 

• They blindly trust without verification of the 
master update server. 
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evil grade 


Tool Information 

evilgrade is modular framework that allow us to 
take advantage of poor update implementations by 
injecting fake updates. 

• It’s a opensource project 

• It’s developed in Perl 
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evil grade 


How does it work? 

It works with modules, each module implements 
the structure needed to emulate a false update of 
specific application. 

evilgrade needs the manipulation of the victims’s 
dns traffic 
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evil grade 


Normal update process 

1 . Appl start the update process 

2. Consult to the dns server host update. appl .com 

3. DNS server replies 200. 1. 1. 1 

4. App gets the file lastupdate.xml from 
update. appl .com 

5. App analyzes the update file and detect a new 

update 

6. Appl downloads and execute the update 

http://update. app 1 . com/update, exe 
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evilqrade 


Attack example 

1 . Appl starts the update process 

2. Consult to the dns server host update. appl .com 

3. The attacker modifies the DNS traffic and 

returns other ip address, controlled by the 
attacker. 

4. Appl get the file controlled by the attacker 

http://uDdate.aDD 1 . com/lastuodate.xml 

5. Appl processes the file and detect a new update 

6. Appl downloads and execute the backdoor 

http://update. app 1 . com/backdoor, exe 
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Attack vectors? 


Possibilities: 

Internal scenery: 

- Internal DNS access. 

- ARP spoofing. 

-DNS Cache Poisoning. 

External scenery: 

- Internal DNS access. 

- DNS Cache Poisoning. 
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ARP spoofing 


Description 

Layer 2 traffic re-routing (MITM) 
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DNS Request 


Description 



http ://www. i nf obyte . com . ar 


infobyte 












DNS Cache poisoning 


Attack 


userl 


ns.test.com 



userl 


www.test.com ? ID: 1 »» 
«« www.test.com ? ID: 101 
192.168.1.1 ID: 101 »» 


«« 192.168.1.1 ? ID: 1 



dnsl 
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DNS Cache poisoning 


Nothing is easy 

Taking care of: 

- TTL. 

- Cache. 

- Legitimizes response. 

Needed information: 

- Source. 

- ID 16 bits (65535 possibilities). 


infobyte 
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I nternal scenery 


Sample Topology 



Victim 



Attacker 


H 

in 

Dns server 
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External scenery 


Sample Topology 



dns.internal client.internal 
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evil grade 


I s this new? 

No, it’s not. © 

The idea of the framework is the centralization 
and explotation of different update 
implementations all together in one tool. 
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evil grade 


What are the supported OS? 

The framework is multiplatform, it only depends of 
having the rigth payload for the platform to exploit. 
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evil grade 


What can I do with it? 

This attack vector allows the injection of fake 
updates to remotely access a target system. 
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evil grade 


Console: 

It works similar to a IOS console: 

-show <object>: Used to show different 
information. 

-conf <object>: Enter to the configure mode. 

-set <option> “value”: Configures different 
options. 

-start: Webserver starts. 

-stop: Webserver stops. 

-status: Webserver status. 
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evil grade 


Modules: 


package modules :: sunjava; 
use strict; 

use Data::Dump qw(dump); 

my $base= 

{ 

'name' => 'Sun Microsystems Java', 

'version' => ' 1.0' , 

'appver' => '< 1.6.0_03‘, 

'author' => [ 'Francisco Amato < famato +[AT]+ infobyte.com.ar>' ] f 
'description' => qq{}, 

'vh' => 'java.sun.com', 

'request' => [ 

{ 

'req' => ' ''/update/ [ . \d]+/map\- [ . \d] + .xml ' , #regex friendly 
'type' => 'file', #file | string | agent | install 
'method' => #any 
'bin' => ' ' , 

' string ' => ' ' , 

' parse' => ' ' , 

'file' => ’ ./include/sunjavamap.xml' 

}, 

{ 

'req' => ' /v /java_update.xml$' , #regex friendly 
'type' => ’file', #file | string | agent | install 
niip://www.mTODyie.com.ar 
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evil grade 


Request: 

It’s an object’s collection. 

Each object it’s a possible HTTP request inside the 
virtualhost configured for the module. 
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evilqrade 


Request: 

Each object has: 

<req> - requeried URL (regex friendly). 

<type> : [ file | string | agent | install ] 

<method> : [GET|POST|TEST|””] 

<bin> : [1 1””] If is it a binary file. 

<string> : String request’s response 

<parse> : [1 1””] If this file or string need be parsed 

<file> : The path of the request’s response 
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evil grade 


Options: 


'agent' 

=> { 

'val' 

=> '. 



'desc 

' => ' 

'arg' 

=> ( 

'val' 

=> ' ' 



'desc 

' => ' 

'enable' 

=> { 

'val' 

=> 1, 



'desc 

' => ' 

' name' 

=> { 

'val' = 

=> 


javaupdate' .isrcore: :utils: :RndAlpha(isrcore: :utils: : RndNum(l) ) " , 
'hidden' => 1, 

'dynamic' =>l f }, 

'title' => { ' val' => 'Critical update', 

'desc' => 'Title name display in the update'}, 

'description' => { 'val' => 'This critical update fix internal vulnerability' 

'desc' => 'Description display in the update'}, 

'atitle' => { 'val' => 'Critical vulnerability', 

'desc' => 'Title name display in the systray item pop'}, 
'adescription' => { 'val' => 'This critical update fix internal vulnerability 

'desc' => 'Description display in the systray item pop'}, 
'website' => { 'val' => 'http://java.com/moreinfolink', 

'desc' => 'Website display in the update'} 


infobyte 
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evil grade 


Agent: 

Agent is the fake update to be injected in the 
victims's computer. 
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evil grade 


Implemented modules: 




- Java plugin 

- Winzip 

- Winamp 

- MacOS 

- OpenOffices 

- iTunes 

- linkedin toolbar 

- DAP (download accelerator) 

- notepad++ 

- speedbit 


Java 


OpenOfficeixg 




Linked Bl. 
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Lab 


Time for the demo. 
Cool! 
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evil grade 


A more secure approach 


- Update server running under https, certificate 
control. 

- Digital signatures, verify the update with a public 
key 
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and you know. . 


Next time you do an update! 
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don't believe in everything you see 
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Questions! 


OOO 

■ ■ ■ 
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Thanks! 


Contact 

blog. infobyte. com. ar 

Francisco Amato - famato@infobyte.com.ar 
Federico Kirschbaum - fedek@infobyte.com.ar 
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